b"           OFFICE OF\n    THE INSPECTOR GENERAL\n\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n    REVIEW OF SOCIAL SECURITY\n  ADMINISTRATION CONTROLS OVER\n    THE ACCESS, DISCLOSURE AND\n  USE OF SOCIAL SECURITY NUMBERS\n       BY EXTERNAL ENTITIES\n\n  December 2002     A-08-02-22071\n\x0c                                    Mission\nWe improve SSA programs and operations and protect them against fraud, waste,\nand abuse by conducting independent and objective audits, evaluations, and\ninvestigations. We provide timely, useful, and reliable information and advice to\nAdministration officials, the Congress, and the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  m Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  m Promote economy, effectiveness, and efficiency within the agency.\n  m Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  m Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  m Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  m Independence to determine what reviews to perform.\n  m Access to all information necessary for the reviews.\n  m Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nBy conducting independent and objective audits, investigations, and evaluations,\nwe are agents of positive change striving for continuous improvement in the\nSocial Security Administration's programs, operations, and management and in\nour own office.\n\x0c                                       SOCIAL SECURITY\nMEMORANDUM\n\nDate:   December 30, 2002                                                          Refer To:\n\nTo:     The Commissioner\n\nFrom:   Inspector General\n\nSubject: Review of Social Security Administration Controls over the Access, Disclosure and Use\n        of Social Security Numbers by External Entities (A-08-02-22071)\n\n        OBJECTIVE\n\n        Our objective was to assess the Social Security Administration\xe2\x80\x99s (SSA) controls over\n        the access, disclosure and use of Social Security numbers (SSN) by external entities.\n\n        BACKGROUND\n        The SSN was created in 1936 as a means of tracking workers\xe2\x80\x99 earnings and eligibility\n        for Social Security benefits. However, over the years, the SSN has become a de facto\n        national identifier used by Federal agencies, State and local governments, and private\n        organizations. Government agencies frequently ask individuals for their SSNs because,\n        in certain instances, the law requires them to or because SSNs provide a convenient\n        means of tracking and exchanging information. While a number of laws and regulations\n        require the use of SSNs for various Federal programs, they generally also impose\n        limitations on how these SSNs may be used. Although no single Federal law regulates\n        overall use and disclosure of SSNs by Federal agencies, the Freedom of Information\n        Act of 1966, the Privacy Act of 1974, and the Social Security Act Amendments of 1990\n        generally govern disclosure and use of SSNs. See Appendix A for more information on\n        the specific provisions of these laws.\n\n        Because of concerns related to perceived widespread sharing of personal information\n        and occurrences of identity theft, Congress asked the General Accounting Office (GAO)\n        to study how and to what extent Federal, State and local government agencies use\n        individuals\xe2\x80\x99 SSNs and how these entities safeguard records or documents containing\n                      1\n        those SSNs. As part of the study, GAO sent questionnaires to 18 Federal agencies\n        (including SSA) that routinely collect, maintain, and use individuals\xe2\x80\x99 SSNs. Specifically,\n        GAO\xe2\x80\x99s questionnaires asked each Federal agency to provide information about the\n        following:\n\n        1\n         Social Security Numbers: Government Benefits from SSN Use but Could Provide Better Safeguards\n        (GAO-02-352, May 2002).\n\x0cPage 2 \xe2\x80\x93 The Commissioner\n\n\n\xc2\xb7   methods by which the agency obtains, maintains, and uses individuals\xe2\x80\x99 SSNs;\n\n\xc2\xb7   practices for providing individuals\xe2\x80\x99 SSNs to other organizations; and\n\n\xc2\xb7   practices for safeguarding records containing SSNs.\n\nThe information SSA and the other Federal agencies provided was self-reported, and\nGAO did not verify the responses. This report serves as a follow-up to GAO\xe2\x80\x99s study\nand provides a more in-depth analysis of SSA\xe2\x80\x99s controls over the access, disclosure\nand use of SSNs by external entities.\n\nSCOPE AND METHODOLOGY\nTo accomplish our objective, we\n\n\xc2\xb7   interviewed SSA Headquarters personnel responsible for controls over the access,\n    disclosure and use of SSNs;\n\n\xc2\xb7   reviewed relevant SSA procedures and practices;\n\n\xc2\xb7   verified and updated key pieces of information SSA provided to GAO;\n\n\xc2\xb7   reviewed applicable laws and regulations;\n\n\xc2\xb7   observed selected contractor activities; and\n\n\xc2\xb7   reviewed relevant audit reports.\n\nAlthough SSA procedures and practices related to the access, disclosure and use of\nSSNs by external entities are virtually the same for all Agency programs, we focused\nour work on SSA\xe2\x80\x99s title II program. We selected this program, after consultation with\nSSA representatives, because it is the largest program for which SSA is responsible.\n\nWe performed our review at SSA Headquarters in Baltimore, Maryland, and a field\noffice in Birmingham, Alabama. In addition, we interviewed personnel at three State\nDisability Determination Services (DDS) to assess their controls over contractors\xe2\x80\x99\n                          2\naccess and use of SSNs. We also visited five independent contractors in Birmingham,\nAlabama, to assess their controls for safeguarding SSN information.\n\nThe SSA entities reviewed were the Offices of the Deputy Commissioners for Finance,\nAssessment and Management; Disability and Income Security Programs; and Systems.\n\n2\n In accordance with SSA disclosure regulations (20 CFR 401.25), SSA considers DDS personnel as SSA\nemployees for purposes of accessing and re-disclosing personally identifiable information in SSA\xe2\x80\x99s\npossession when making disability determinations. Therefore, we consider DDS personnel as SSA\nemployees for purposes of this report.\n\x0cPage 3 \xe2\x80\x93 The Commissioner\nWe conducted our audit from February through September 2002 in accordance with\ngenerally accepted government auditing standards.\n\nRESULTS OF REVIEW\nAlthough SSA has controls over the access, disclosure and use of SSNs by external\nentities, we are concerned about the Agency\xe2\x80\x99s exposure to improper SSN attainment\nand misuse. We identified instances in which SSA personnel unnecessarily displayed\nSSNs on documents it sent to external entities that may not have had a need to know.\nIn addition, we identified instances in which SSA personnel were not adequately\nmonitoring contractors\xe2\x80\x99 access and use of SSNs. Furthermore, based on our review of\nrecent audit reports related to SSA\xe2\x80\x99s information security environment, the Agency may\nbe vulnerable to unauthorized access to its computer systems containing SSNs.\n\nSSA Makes Legal and Informed Disclosures But Unnecessarily\nDisplays SSNs on Certain Documents it Sends to External Entities\n\nSSA generally makes proper SSN disclosure to external entities. SSA personnel inform\nnumberholders of whether they must provide their SSN to apply for benefits and, if so,\nhow the Agency will use the SSN. We did not identify any specific instances involving\nimproper disclosure of SSNs. Moreover, according to attorneys with SSA\xe2\x80\x99s Office of\nGeneral Counsel, the Agency has not been party to any litigation regarding improper\nSSN disclosure.\n\nSSA\xe2\x80\x99s disclosure policy allows for the release of individuals\xe2\x80\x99 SSNs to external entities\nas necessary to administer its programs under the Social Security Act. SSA releases\nSSNs with the numberholder\xe2\x80\x99s written consent and in other situations where Federal\nlaw authorizes disclosure. Examples include disclosure of SSNs in the following\ncircumstances.\n\n\xc2\xb7     To Federal, State and local governments that are authorized under Federal law to\n      collect and use SSNs to administer income and health maintenance programs. For\n      example, the Department of Veterans Affairs uses SSNs to administer its veterans\n      pension and compensation programs.\n\n\xc2\xb7     To prison systems because Federal law requires that they report prison information\n      to SSA.\n\n\xc2\xb7     To States\xe2\x80\x99 vital records and statistics agencies for administering public health and\n      income maintenance programs, including statistical studies and evaluation projects.3\n\nWhile delivering services and benefits, SSA, like many Federal agencies, displays\nSSNs on documents that may be viewed by others, some of whom may not have a\nneed to know. We identified instances in two States in which DDS personnel\n3\n    Master Files of SSN Holders and SSN Applications, SSA/OSR, 60-0058.\n\x0cPage 4 \xe2\x80\x93 The Commissioner\nunnecessarily displayed SSNs on documents it sent to third parties. DDS personnel\nroutinely send questionnaires to third parties (for example, neighbors or friends)\nrequesting information about disability claimants\xe2\x80\x99 daily activities. We question whether\nindividuals receiving these questionnaires need to know a disability claimant\xe2\x80\x99s SSN.\nWe also identified instances in which SSA personnel displayed SSNs on forms it sent to\nvocational experts (independent contractors) requesting opinions about disability\nclaimants\xe2\x80\x99 ability to work. We question whether these third parties need to know a\ndisability claimant\xe2\x80\x99s SSN.\n\nWe believe displaying SSNs on documents sent to individuals who may not have a\nneed to know increases the risk that others may improperly obtain and misuse the SSN.\nIn fact, personnel in one State DDS told us they recognized the vulnerability associated\nwith displaying SSNs on third-party questionnaires and changed to a case numbering\nsystem to assist them in identifying claimant files.\n\nSSA Places Safeguard Requirements on\nContractors But Lacks Adequate Monitoring\n\nSSA and State DDSs award thousands of contracts, acquisitions, and orders each year.\nExamples of contractors who use files and other information that may contain SSNs\ninclude doctors (that is, panel physicians) who perform medical examinations for\ndisability determinations and vocational experts who provide opinions to SSA Offices\xe2\x80\x99 of\nHearings and Appeals.\n\nSSA\xe2\x80\x99s disclosure policy allows SSA to provide SSNs to contractors as necessary to\nassist the Agency in carrying out its statutory responsibilities.4 Contracts generally\ncontain standard language related to personal information safeguards, including the\nSSN, which SSA requires contractors to follow. Contracts may also contain penalty\nprovisions for misuse of information by contractors. SSA places numerous\nrequirements regarding the privacy of SSNs on contractors. For example, entities\nreceiving SSN information (1) cannot provide it to other entities, (2) cannot allow any\nunauthorized persons to see individuals\xe2\x80\x99 SSNs, and (3) must keep records containing\nSSNs in a secure place.\n\nTo determine whether SSA had appropriate controls over contractors\xe2\x80\x99 access to, and\nuse of, SSNs, we reviewed monitoring site visit reports and checklists, observed\nsecurity practices at contractors\xe2\x80\x99 offices, and examined a written agreement. Our\nreview of SSA\xe2\x80\x99s formal and informal site visit reports found that personnel did not\naddress the security of personal identifying information, such as SSNs, during\nmonitoring visits. Our review of the monitoring checklist State DDS personnel use when\nconducting contractor site visits, which conforms to SSA guidelines,5 does not address\nthe security of personal identifying information. Given the importance of preventing\n\n4\n    Ibid.\n5\n    Program Operations Manual System, DI 39545.900.\n\x0cPage 5 \xe2\x80\x93 The Commissioner\nimproper attainment and misuse of SSNs, we believe SSA\xe2\x80\x99s monitoring activities should\ninclude an evaluation of contractors\xe2\x80\x99 security practices to ensure they uphold their\nobligation to protect the confidentiality and security of SSNs.\n\nBased on our discussions and observations at panel physicians\xe2\x80\x99 offices, we are also\nconcerned about controls over contractors\xe2\x80\x99 security practices for file storage. For\nexample, we noted instances in which physicians maintained personal identifying\ninformation, including SSNs, in unlocked file cabinets or storage rooms, neither of\nwhich provided adequate security. State DDS personnel who accompanied us on our\nsite visits shared our concern of inadequate file security.\n\nThe agreement with Consulting Professionals and Hospitals or Clinics (panel\nphysicians) we reviewed includes language that prohibits \xe2\x80\x9cunauthorized disclosure of\ninformation.\xe2\x80\x9d The agreement also addresses potential third-party providers who may\nprovide needed assistance, such as transcription services. The agreement requires\npanel physicians to inform a third-party \xe2\x80\x9cthat services are being performed in connection\nwith a Social Security program, and that improper disclosure of information about the\nsubject individual is prohibited.\xe2\x80\x9d Panel physicians we interviewed told us they had not\ndiscussed security of personal identifying information, such as SSNs, with transcription\nservices personnel, as required by their agreement with SSA. In addition, although the\nBlanket Purchase Agreement SSA uses for vocational experts incorporates the Privacy\nAct by reference, we encourage SSA to add specific SSN disclosure language for\nemphasis, as it uses in other SSA contracts.\n\nSSA Places Controls over Access to Individuals\xe2\x80\x99 SSNs\nMaintained in its Databases, But Weaknesses Exist\n\nAlthough SSA limits access to its databases primarily to its employees, the Agency also\nauthorizes systems access to external entities for specific purposes. For example, SSA\nallows agencies, such as the Centers for Medicare and Medicaid Services and the\nRailroad Retirement Board access to its databases to assist in beneficiary eligibility\ndeterminations. SSA also allows contractors access to its databases to provide such\nservices as software design and support and data processing.\n\nFederal laws lay out a framework for Federal agencies to follow when establishing\ninformation security programs that protect sensitive personal information, such as\n       6\nSSNs. This framework includes four principles that are important to an overall\ninformation security program. These principles are to periodically assess risk,\nimplement policies and controls to mitigate risks, promote awareness of risks for\ninformation security, and continually monitor and evaluate information security\npractices. To gain a better understanding of whether SSA had in place measures to\nadequately safeguard SSNs that are consistent with the Federal framework, we\n\n6\n See the Computer Security Act of 1987, Pub. L. No. 100-235, 101 Stat. 1724 (1988); the Paperwork\nReduction Act of 1995, Pub. L. No. 104-13, 109 Stat. 163 (1995); the Clinger-Cohen Act of 1996, Pub. L.\nNo. 104-106 \xc2\xa7 4304, 110 Stat. 186, 659 (1996); and OMB guidance, such as Circular A-130.\n\x0cPage 6 \xe2\x80\x93 The Commissioner\nreviewed recent audit reports related to its information security environment. See\nAppendix B for a list of audit reports related to SSA\xe2\x80\x99s information security environment.\n\nSSA\xe2\x80\x99s information security framework includes self-reviews and policies and\nprocedures to safeguard its sensitive information systems. For example, SSA conducts\nannual self-reviews on its sensitive systems to certify that adequate controls exist.7 In\naddition, SSA formed a Security Response Team to address security incidents involving\n                                                                               8\nits computer systems, Internet and Intranet servers, and Local Area Network servers.\nTo detect systems violations, SSA uses such tools as integrity reviews, audit trail\nsystems, and access controls. Furthermore, to better coordinate and monitor its\nAgency-wide security framework, SSA recently established the Office of the Chief\nInformation Officer to centralize system security policies and procedures.\n\nWe acknowledge SSA has made strides in its information security efforts. However,\ndespite SSA\xe2\x80\x99s controls, recent Office of the Inspector General and contractor audit\nreports identified weaknesses within its information security environment. Main areas\nof vulnerability include the following:\n\n\xc2\xb7   physical access controls at non-Headquarters locations, including SSA\xe2\x80\x99s regional\n    offices, program service centers, and selected DDSs;\n\n\xc2\xb7   implementation and monitoring of technical security configuration standards\n    governing systems housed in the National Computer Center and off-site house\n    systems; and\n\n\xc2\xb7   monitoring security violations and periodic review of user access.9\n\nBecause of the sensitive nature of information security issues, we chose to withhold\ndetailed descriptions of information security control weaknesses identified in recent\naudit reports. We are working with SSA to reach consensus on an effective action plan\nto resolve these weaknesses.\n\n\nCONCLUSION AND RECOMMENDATIONS\nDespite SSA\xe2\x80\x99s safeguards to prevent improper access, disclosure and use of SSNs by\nexternal entities, the Agency remains at-risk to such activity. We recognize SSA\xe2\x80\x99s\nefforts can never eliminate the potential that unscrupulous individuals may\n\n7\n Social Security: Annual Program Review Government Information Security Reform Act,\nSeptember 2002, pp. 3-4.\n8\n A Local Area Network or LAN is a system for linking programs, storage, and devices to multiple\nworkstations over an area such as, within a building.\n9\n Social Security Administration Performance and Accountability Report for Fiscal Year 2001,\nDecember 2001, pp. 225-226.\n\x0cPage 7 \xe2\x80\x93 The Commissioner\ninappropriately acquire and misuse SSNs. Nonetheless, we believe SSA, as a Federal\nagency and public servant, has a duty to safeguard the integrity of SSNs by reducing\nopportunities for external entities to improperly obtain and misuse the SSNs. Given the\npotential risk for individuals to engage in such activity, we believe SSA would benefit by\nstrengthening some of its controls over the access, disclosure and use of SSNs by\nexternal entities.\n\nAccordingly, we recommend that SSA:\n\n1. Limit SSN display on documents to external entities to those that have a need to\n   know.\n\n2. Monitor contractors\xe2\x80\x99 access, disclosure and use of SSNs to ensure they uphold their\n   obligation to protect the confidentiality and security of SSNs.\n\n3. Continue to address identified weaknesses within its information security\n   environment to better safeguard SSNs.\n\nAGENCY COMMENTS\n\nSSA agreed with our recommendations. Regarding Recommendation 1, SSA agreed\nthat SSNs should not be used on documents sent to external entities that do not have a\nneed to know the SSN. SSA plans to issue a reminder to the DDSs regarding\nadherence to policy and procedural instructions that govern the display of SSNs on\ncorrespondence. Regarding Recommendation 2, SSA stated it plans to add specific\nSSN disclosure language in its contracts/Blanket Purchase Agreements by the end of\nFiscal Year 2003. SSA also stated it plans to issue a reminder to State DDSs to\nre-emphasize the serious responsibility to monitor and protect the confidentiality and\nsecurity of SSNs disclosed to contractors and revise site visit instructions to include\nspecific reference to monitoring the security of the information. Regarding\nRecommendation 3, SSA stated it will continue to work with the OIG to reach\nconsensus on an effective action plan to resolve identified information security\nweaknesses. The full text of SSA's comments is included in Appendix C.\n\n\n\n\n                                                James G. Huse, Jr.\n\x0c                                  Appendices\nAPPENDIX A \xe2\x80\x93 Federal Laws that Restrict Disclosure of the Social Security Number\n\nAPPENDIX B \xe2\x80\x93 Reports Related to the Social Security Administration\xe2\x80\x99s Information\n             Security Environment\n\nAPPENDIX C \xe2\x80\x93 Agency Comments\n\nAPPENDIX D \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                                             Appendix A\n\nFederal Laws that Restrict Disclosure of the\nSocial Security Number\nThe following Federal laws establish a framework for restricting Social Security number\n(SSN) disclosure.1\n\nThe Freedom of Information Act (5 U.S.C. 552)\n\nThe Freedom of Information Act (FOIA) establishes a presumption that records in the\npossession of Executive Branch agencies and departments are accessible to the\npeople. FOIA, as amended, provides that the public has a right of access to Federal\nagency records, except for those records that are protected from disclosure by nine\nstated exemptions. One of these exemptions allows the Government to withhold\ninformation about individuals in personnel and medical files and similar files when the\ndisclosure would constitute a clearly unwarranted invasion of personal privacy.\nAccording to Department of Justice guidance, agencies should withhold SSNs under\nthis FOIA exemption. This statute does not apply to State and local governments.\n\nThe Privacy Act of 1974 (5 U.S.C. 552a)\n\nThe Privacy Act regulates Federal agencies\xe2\x80\x99 collection, maintenance, use and\ndisclosure of personal information maintained by agencies in a system of records. The\nAct prohibits the disclosure of any record contained in a system of records unless the\ndisclosure is made based on a written request or prior written consent of the person to\nwhom the records pertain or is otherwise authorized by law. The Act authorizes\n12 exceptions under which an agency may disclose information in its records.\n\nThe Act contains a number of additional provisions that restrict Federal agencies\xe2\x80\x99 use of\npersonal information. For example, an agency must maintain in its records only such\ninformation about an individual as is relevant and necessary to accomplish a purpose\nrequired by statute or Executive Order of the President, and the agency must collect\ninformation to the greatest extent practicable directly from the individual when the\ninformation may result in an adverse determination about an individual\xe2\x80\x99s rights, benefits\nand privileges under Federal programs.\n\n\n\n\n1\n Summarized from Social Security Numbers: Government Benefits from SSN Use but Could Provide\nBetter Safeguards (GAO-02-352, May 2002).\n\n\n\n                                              A-1\n\x0cThe Social Security Act Amendments of 1990 (42 U.S.C. 405(c)(2)(C)(viii))2\n\nThe Social Security Act bars disclosure by Federal, State and local governments of\nSSNs collected pursuant to laws enacted on or after October 1, 1990. This provision of\nthe act also contains criminal penalties for \xe2\x80\x9cunauthorized willful disclosures\xe2\x80\x9d of SSNs.\nBecause the Act specifically cites willful disclosures, careless behavior or inadequate\nsafeguards may not be subject to criminal prosecution. Moreover, applicability of the\nprovision is further limited in many instances because it only applies to disclosure of\nSSNs collected in accordance with laws enacted on or after October 1, 1990. For\nSSNs collected by Federal entities pursuant to laws enacted before October 1, 1990,\nthis provision does not apply and therefore, would not restrict disclosing the SSN.\nFinally, because the provision applies to disclosure of SSNs collected pursuant to laws\nrequiring SSNs, it is not clear if the provision also applies to disclosure of SSNs\ncollected without a statutory requirement to do so. This provision applies to Federal,\nState and local governmental agencies; however, the applicability to courts is not clearly\nspelled out in the law.\n\n\n\n\n2\n    Pub. L. No. 101-624 \xc2\xa72201, 104 Stat. 3359, 3951 (1990).\n\n\n                                                    A-2\n\x0c                                                                     Appendix B\n\nReports Related to the Social Security\nAdministration\xe2\x80\x99s Information Security\nEnvironment\nThe Social Security Administration\xe2\x80\x99s Office of the Inspector General\n\n  General Controls of the Alabama Disability Determination Services Claims\n  Processing System Need Improvement, A-14-02-22089, September 2002.\n\n  The Social Security Administration\xe2\x80\x99s Compliance with the Government Information\n  Security Reform Act, A-14-02-12042, September 2002.\n\n  Review of Security over Remote Access to the Social Security Administration\xe2\x80\x99s Main\n  Processing Environment, A-14-01-11010, May 2002.\n\n  Disclosure of Personal Beneficiary Information to the Public, A-01-01-01018,\n  January 2002.\n\n  Management Advisory Report: Implementation of the Government Information\n  Security Reform Act, A-14-01-21056, September 2001.\n\n  The Social Security Administration\xe2\x80\x99s Compliance with the Government Information\n  Security Reform Act, A-14-01-21055, September 2001.\n\n  Audit of the Administrative Costs Claimed by the Connecticut Disability\n  Determination Services, A-15-00-30016, September 2001.\n\n  Social Security Administration\xe2\x80\x99s Intelligent Work Station/Local Area Network and\n  Telecommunication Security, A-14-99-11005, August 2001.\n\n  Management Advisory Report - Compliance of the Social Security Administration\xe2\x80\x99s\n  Computer Security Program with Applicable Laws and Regulation, A-13-98-12044,\n  June 2001.\n\n  Management Advisory Report \xe2\x80\x93 Administration of TOP SECRET at the National\n  Computer Center, A-14-99-11001, September 2000.\n\n  Social Security Administration\xe2\x80\x99s Suitability Program for Employees and Contractors,\n  A-14-99-12006, June 2000.\n\n\n\n\n                                         B-1\n\x0cPricewaterhouseCoopers LLP\n\n  Social Security Administration\xe2\x80\x99s Fiscal Year 2001 Audit/Management Letter Part 1,\n  November 2001.\n\nJanus Associates, Inc.\n\n  SSA-63 Task 1 Penetration Testing for Social Security Administration, March 2001.\n\nDeloitte & Touche\n\n  Social Security Administration National Computer Center Likelihood Report\n  (Contract No. 600-98-34387), July 2001.\n\n  Title II Redesign, Release One (Contract No. 600-98-34387), June 2001.\n\nDepartment of the Treasury, Internal Revenue Service\n  Safeguard Review Report (Catalog No. 45306Z), January 2000.\n\n\n\n\n                                        B-2\n\x0c                  Appendix C\n\nAgency Comments\n\x0c                                           SOCIAL SECURITY\n\nMEMORANDUM\n\n\nDate:      December 16, 2002                                                          Refer To: S1J-3\n\nTo:        James G. Huse, Jr.\n           Inspector General\n\nFrom:      Larry W. Dye      /s/\n           Chief of Staff\n\nSubject:   Office of the Inspector General Draft Report, \xe2\x80\x9cReview of Social Security Administration Controls\n           over the Access, Disclosure and Use of Social Security Numbers by External Entities\n           (A-08-02-22071)\xe2\x80\x94INFORMATION\n\n\n           We appreciate OIG's efforts in conducting this review. Our comments on the report content and\n           recommendations are attached.\n\n           Please let us know if we can be of further assistance. Staff questions can be referred to\n           Laura Bell on extension 52636.\n\n           Attachment:\n           SSA Response\n\n\n\n\n                                                            C-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT REPORT,\n\xe2\x80\x9cREVIEW OF SOCIAL SECURITY ADMINISTRATION CONTROLS OVER THE ACCESS,\nDISCLOSURE AND USE OF SOCIAL SECURITY NUMBERS BY EXTERNAL ENTITIES\xe2\x80\x9d\n(A-08-02-22071)\n\n\nAs OIG is aware, we have long been concerned about ensuring the confidentiality of all personal\ninformation maintained by the Agency. We already have established policies, procedures and\ntechnical configurations standards requirements.\n\nTo safeguard our sensitive information systems, we have included self-reviews, policies and\nprocedures in our information security framework. In addition, we monitor technical\nconfiguration standards of systems throughout the Agency and perform systems security reviews\nand audits periodically throughout the year. We have established a Security Response Team\n(SRT) to address security incidents.\n\nOn a quarterly basis, we examine, audit and review audit conclusions and recommendations to\ndetermine the progress we have made toward closure of the issues.\n\nWe are actively reviewing access at component levels, and will continue to monitor security\nviolations and periodic reviews of user access. We are working with OIG to establish an\nacceptable review and control process for access at all component levels. For the Disability\nDetermination Services in the states, we have developed and distributed a security document and\ncontinue to work with them to ensure compliance with established policies, procedures, and\nconfiguration standards.\n\nWe also actively monitor network activity for anomalies and have a real-time emergency\nnotification program. The notification program provides continuous coverage and responds to\nany threats and vulnerabilities.\n\nWith the policies, procedures, configuration standards, and monitoring activity presently in place\nand the addition of improved technologies/processes as they are available, we will continue to\nmake strides in our information security efforts.\n\nOur responses to the specific recommendations are provided below.\n\nRecommendation 1\n\nLimit Social Security Number (SSN) display on documents to external entities to those that have\na need to know.\n\n\n\n\n                                               C-2\n\x0cComment\n\nWe agree that SSNs should not be used on documents sent to external entities that do not have a\nneed to know the SSN. We have policy and procedural instructions in place (POMS GN\n03325.005, GN 03325.020) that govern the display of SSNs on correspondence. We will issue a\nreminder to the Disability Determination Services (DDS) regarding adherence to the policy and\ninstructions.\n\nRecommendation 2\n\nMonitor contractors\xe2\x80\x99 access, disclosure and use of SSNs to ensure they uphold their obligation to\nprotect the confidentiality and security of SSNs.\n\n\nComment\n\nWe agree with the recommendation to the extent that it applies to contracts and contractor\nperformance for which the Agency has responsibility, including the addition of specific SSN\ndisclosure language to the Blanket Purchase Agreements (BPA) that the Office of Hearings and\nAppeals (OHA) awards to Medical and Vocational Experts. We plan to add the specific SSN\ndisclosure language in the several-thousand contracts/BPAs before the end of this fiscal year.\n\nAs for OIG\xe2\x80\x99s observations regarding contracts awarded by the State DDSs, these contracts are\nnot subject to SSA\xe2\x80\x99s acquisition policy or to the Federal Acquisition Regulation. We will issue a\nreminder to the States to re-emphasize the serious responsibility to monitor and protect the\nconfidentiality and security of SSNs and personal identity information disclosed to their\ncontractors, and will revise the site visit instructions to include specific reference to monitoring\nthe security of the information.\n\nRecommendation 3\n\nContinue to address identified weaknesses within the Agency\xe2\x80\x99s information security environment\nto better safeguard SSNs.\n\n\nComment\n\nWe will continue to work with OIG, as noted in the report, to reach consensus on an effective\naction plan to resolve the identified weaknesses.\n\n\n\n\n                                                C-3\n\x0c                                                                        Appendix D\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Jeff Pounds, Acting Director, Southern Audit Division, (205) 801-1606\n\nStaff Acknowledgments\n\nIn addition to the persons named above:\n\n   Kathy L. Youngblood, Auditor-in-Charge\n\n   Theresa Roberts, Auditor\n\n   Kimberly Beauchamp, Writer/Editor\n\nFor additional copies of this report, please visit our web site at www.ssa.gov/oig or\ncontact the Office of the Inspector General\xe2\x80\x99s Public Affairs Specialist at (410) 966-1375.\nRefer to Common Identification Number A-08-02-22071.\n\x0c                          DISTRIBUTION SCHEDULE\n\n                                                                          No. of\n                                                                         Copies\n\nCommissioner of Social Security                                               1\nManagement Analysis and Audit Program Support Staff, OFAM                    10\nInspector General                                                             1\nAssistant Inspector General for Investigations                                1\nAssistant Inspector General for Executive Operations                          3\nAssistant Inspector General for Audit                                         1\nDeputy Assistant Inspector General for Audit                                  1\n Director, Data Analysis and Technology Audit Division                        1\n Director, Financial Audit Division                                           1\n Director, Southern Audit Division                                            1\n Director, Western Audit Division                                             1\n Director, Northern Audit Division                                            1\n Director, General Management Audit Division                                  1\nTeam Leaders                                                                 25\nIncome Maintenance Branch, Office of Management and Budget                    1\nChairman, Committee on Ways and Means                                         1\nRanking Minority Member, Committee on Ways and Means                          1\nChief of Staff, Committee on Ways and Means                                   1\nChairman, Subcommittee on Social Security                                     2\nRanking Minority Member, Subcommittee on Social Security                      1\nMajority Staff Director, Subcommittee on Social Security                      2\nMinority Staff Director, Subcommittee on Social Security                      2\nChairman, Subcommittee on Human Resources                                     1\nRanking Minority Member, Subcommittee on Human Resources                      1\nChairman, Committee on Budget, House of Representatives                       1\nRanking Minority Member, Committee on Budget, House of Representatives        1\nChairman, Committee on Government Reform and Oversight                        1\nRanking Minority Member, Committee on Government Reform and Oversight         1\nChairman, Committee on Governmental Affairs                                   1\n\x0cRanking Minority Member, Committee on Governmental Affairs                    1\nChairman, Committee on Appropriations, House of Representatives               1\nRanking Minority Member, Committee on Appropriations,\n House of Representatives                                                    1\nChairman, Subcommittee on Labor, Health and Human Services, Education\n and Related Agencies, Committee on Appropriations,\n House of Representatives                                                     1\nRanking Minority Member, Subcommittee on Labor, Health and Human\n Services, Education and Related Agencies, Committee on Appropriations,\n House of Representatives                                                     1\nChairman, Committee on Appropriations, U.S. Senate                            1\nRanking Minority Member, Committee on Appropriations, U.S. Senate             1\nChairman, Subcommittee on Labor, Health and Human Services, Education\n and Related Agencies, Committee on Appropriations, U.S. Senate               1\nRanking Minority Member, Subcommittee on Labor, Health and Human\n Services, Education and Related Agencies, Committee on Appropriations,\n U.S. Senate                                                                  1\nChairman, Committee on Finance                                                1\nRanking Minority Member, Committee on Finance                                 1\nChairman, Subcommittee on Social Security and Family Policy                   1\nRanking Minority Member, Subcommittee on Social Security and Family Policy    1\nChairman, Senate Special Committee on Aging                                   1\nRanking Minority Member, Senate Special Committee on Aging                    1\nPresident, National Council of Social Security Management Associations,\n  Incorporated                                                                1\nTreasurer, National Council of Social Security Management Associations,\n  Incorporated                                                                1\nSocial Security Advisory Board                                                1\nAFGE General Committee                                                        9\nPresident, Federal Managers Association                                       1\nRegional Public Affairs Officer                                               1\n\n\nTotal                                                                        96\n\x0c                 Overview of the Office of the Inspector General\n\n\n                                      Office of Audit\nThe Office of Audit (OA) conducts comprehensive financial and performance audits of the\nSocial Security Administration\xe2\x80\x99s (SSA) programs and makes recommendations to ensure that\nprogram objectives are achieved effectively and efficiently. Financial audits, required by the\nChief Financial Officers' Act of 1990, assess whether SSA\xe2\x80\x99s financial statements fairly\npresent the Agency\xe2\x80\x99s financial position, results of operations and cash flow. Performance\naudits review the economy, efficiency and effectiveness of SSA\xe2\x80\x99s programs. OA also\nconducts short-term management and program evaluations focused on issues of concern to\nSSA, Congress and the general public. Evaluations often focus on identifying and\nrecommending ways to prevent and minimize program fraud and inefficiency, rather than\ndetecting problems after they occur.\n\n                            Office of Executive Operations\nThe Office of Executive Operations (OEO) provides four functions for the Office of the\nInspector General (OIG) \xe2\x80\x93 administrative support, strategic planning, quality assurance, and\npublic affairs. OEO supports the OIG components by providing information resources\nmanagement; systems security; and the coordination of budget, procurement,\ntelecommunications, facilities and equipment, and human resources. In addition, this Office\ncoordinates and is responsible for the OIG\xe2\x80\x99s strategic planning function and the development\nand implementation of performance measures required by the Government Performance and\nResults Act. The quality assurance division performs internal reviews to ensure that OIG\noffices nationwide hold themselves to the same rigorous standards that we expect from the\nAgency. This division also conducts employee investigations within OIG. The public affairs\nteam communicates OIG\xe2\x80\x99s planned and current activities and the results to the Commissioner\nand Congress, as well as other entities.\n\n                                 Office of Investigations\nThe Office of Investigations (OI) conducts and coordinates investigative activity related to\nfraud, waste, abuse, and mismanagement of SSA programs and operations. This includes\nwrongdoing by applicants, beneficiaries, contractors, physicians, interpreters, representative\npayees, third parties, and by SSA employees in the performance of their duties. OI also\nconducts joint investigations with other Federal, State, and local law enforcement agencies.\n\n                          Counsel to the Inspector General\nThe Counsel to the Inspector General provides legal advice and counsel to the Inspector\nGeneral on various matters, including: 1) statutes, regulations, legislation, and policy\ndirectives governing the administration of SSA\xe2\x80\x99s programs; 2) investigative procedures and\ntechniques; and 3) legal implications and conclusions to be drawn from audit and\ninvestigative material produced by the OIG. The Counsel\xe2\x80\x99s office also administers the civil\nmonetary penalty program.\n\x0c"